CN103297238B - Identity authorization system - Google Patents
Identity authorization system Download PDFInfo
- Publication number
- CN103297238B CN103297238B CN201310178207.3A CN201310178207A CN103297238B CN 103297238 B CN103297238 B CN 103297238B CN 201310178207 A CN201310178207 A CN 201310178207A CN 103297238 B CN103297238 B CN 103297238B
- Authority
- CN
- China
- Prior art keywords
- information
- certificate server
- personal authentication
- authentication apparatus
- content
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The present invention relates to a kind of identity authorization system, comprise the personal authentication apparatus that user holds, the certificate server that authenticating party is held, has the symmetry machine confidential information SK made an appointment between the two, the set of the authentication content RD of content information RC and biological information RB; Described personal authentication apparatus comprises: collecting unit, processing unit, communication unit and memory cell.Certificate server at least comprises: communication unit, processing unit and memory cell; Collecting unit, the communication unit of above-mentioned personal authentication apparatus are connected with processing unit respectively with memory cell, the communication unit of above-mentioned certificate server is connected with processing unit respectively with memory cell, and above-mentioned personal authentication apparatus is connected communication with certificate server by respective communication unit.The invention has the beneficial effects as follows: effectively other certification factors of " biological characteristic that user has " this certification Summing Factor are integrated, thus improve fail safe and the ease for use of multiple-factor authentication techniques.
Description
Technical field
The present invention relates to computer safety information technical field, particularly relate to computer identity authentication techniques field.
Background technology
Authentication procedures, and closely-related transaction controls, and is that certification main body (normally service provider) carries out certification to certified main body (normally user), confirms the process of identity, ownership and affiliated right etc.From most basic level, the information that to be certification main body submit to certified main body in addition certain process confirmed, that is, the process that the information that certification main body is submitted to these is approved.In principle, classifying to the information submitted to, is exactly the so-called certification factor.The first certification factor i.e. " what is known ", being that certified main body possesses that certain is special, is not easily the knowledge that other people know, normally certain password, password etc.I.e. " what has ", be that certified main body has certain concrete object, foremost example is exactly historical tiger-shaped tally issued to generals as imperial authorization for loop movement in ancient China to the second certification factor, and uses a lot of token, seal and smart card (as credit card etc.) etc. at present.The third certification factor is i.e. " biological characteristic that user has ", distinctive on individual physiological, such as vocal print, fingerprint, eyeprint, vein pattern, face line or behavioural characteristic etc.
Early stage identity identifying technology uses separately above-mentioned three kinds of factors, and the identity identifying technology being used alone a kind of certification factor is called as single-factor certification.In fact, Here it is current majority of case, as the login password of various network account.But single-factor certification is quite dangerous, for improving for the purpose of safety, needs to use the two or more factors simultaneously, being called multiple-factor certification.
But multiple-factor certificate scheme of the prior art exists following not enough: if that is exactly the systems approach do not had, and cost is just higher, use and also can owe convenient.Particularly each user (certified main body) corresponding a lot of service provider (certification main body), if do not have suitable method, is difficult to multiple-factor certification to promote open.
The applicant proposed application for a patent for invention " identity recognition method for computer system " on 06 27th, 2011, the patent application disclosed a kind of scheme of double factor authentication.This technical scheme makes double factor authentication (what be known, what has) can easily carry out, but due to not concrete method integrate the biological characteristic that user has, make it the method for the three kinds of factor unifications becoming complete unification, therefore its fail safe and ease for use are still not.
Summary of the invention
The object of the invention is the fail safe in order to further improve existing multiple-factor authentication techniques scheme and ease for use, proposing a kind of identity authorization system.
Technical scheme of the present invention one of is: a kind of identity authorization system, it is characterized in that, comprise the personal authentication apparatus that user holds, the certificate server that authenticating party is held, there is the symmetry machine confidential information SK made an appointment, the set of the authentication content RD of content information RC and biological information RB between personal authentication apparatus and certificate server;
Described personal authentication apparatus at least comprises as lower unit:
Collecting unit, for gathering the authentication content RD of user's input;
Processing unit, for being content information RC and biological information RB by authentication content RD resolution process, carrying out calculating for adopting the first default algorithm produce first information B to described biological information RB, symmetry machine confidential information SK, disposable information T; For adopting the second default algorithm to carry out calculating generation second information C to described content information RC, symmetry machine confidential information SK, disposable information T, for adopting the 3rd default algorithm, the 3rd information M is calculated to described first information B and the second information C;
Communication unit, for realizing the data communication between personal authentication apparatus and certificate server, send instruction to personal authentication apparatus for receiving certificate server and corresponding disposable information T is provided, for personal authentication apparatus, the 3rd information M being sent to certificate server;
Memory cell, for storing the data message obtained from the collecting unit stating personal authentication apparatus, processing unit and communication unit;
Described certificate server at least comprises as lower unit:
Communication unit, for realizing the data communication between personal authentication apparatus and certificate server, sending instruction for certificate server to personal authentication apparatus and corresponding disposable information T is provided, being sent to the 3rd information M of certificate server for receiving personal authentication apparatus;
Processing unit, obtains first information B and the second information C for carrying out inverse operation according to the 3rd algorithm preset by the 3rd information M decomposition computation; The second average information CRg that the first average information BRg that the first information B obtained for decomposition computation or the second information C or first information B is corresponding or the second information C is corresponding, and aforementioned information is stored in the database of certificate server, as the log-on data W1 of user; For certificate server by certification log-on data W1 with to precalculate and the log-on data W be stored on certificate server compares, if certification log-on data W1 is consistent with log-on data W, then the authentication of user is passed through, otherwise the authentication of user is unsuccessfully;
Memory cell, for storing the data message obtained from communication unit and the processing unit of certificate server;
Collecting unit, the communication unit of above-mentioned personal authentication apparatus are connected with processing unit respectively with memory cell, the communication unit of above-mentioned certificate server is connected with processing unit respectively with memory cell, and above-mentioned personal authentication apparatus is connected communication with certificate server by respective communication unit.
The invention has the beneficial effects as follows: in the verification process of technical solution of the present invention, what user knows, what user has, and the biological characteristic of user, all correctly must possess simultaneously, correctly use, otherwise cannot certification be passed through.The information M of noticing is disposable, even if be acquired, and also can not the reverse biological information obtaining user.Meanwhile, certificate server can dominate whole verification process completely, and is not only and does certification by the biological information of static state (this information is always under the shade that may be forged).
Further, because biological characteristic may must be produced by this talent of user, even if under the worst case all revealed at whole log-on messages of server, this characteristic also makes assailant can not to assume another's name user, therefore the damage control minimum.This character is that current nearly all system and method all can not solve very well.
System due to us adopts personal authentication apparatus very easily, and in the simple use procedure of user, made three kinds of factor unifications use, and user again need not remember various bothersome password, and password etc., comfort level greatly improves.
Therefore, other certification factors of " biological characteristic that user has " this certification Summing Factor are effectively integrated by technical scheme of the present invention, and adopt the various authentication information of personal authentication apparatus concentrated collection, thus further increase fail safe and the ease for use of multiple-factor authentication techniques.
Accompanying drawing explanation
Fig. 1 is the hardware logic structure schematic diagram of identity authorization system of the present invention.
Fig. 2 is the more detailed hardware logic structure schematic diagram of identity authorization system of the present invention.
Fig. 3 is the flow chart of identity registration method of the present invention.
Fig. 4 is the flow chart of identity identifying method of the present invention.
Embodiment
Understand fully for the ease of those skilled in the art and implement technical scheme of the present invention, being necessary to be described in detail the general hardware logic structure needed for the present patent application, general definition and principle describing before specific embodiment.
Fig. 1 is the hardware configuration schematic diagram of identity registration system of the present invention and identity authorization system.As can be seen from the figure, identity registration system of the present invention is consistent with the hardware logic structure of identity authorization system.Identity registration system and identity authorization system all comprise: personal authentication apparatus 1 and certificate server 2, also comprise the personal authentication apparatus management server 3 as inessential technical characteristic.
Personal authentication apparatus 1 of the present invention is held by user's (i.e. certified main body) and is used, electronic equipment that is normally hand-held or carrying mode more easily is as with the mobile phone of acquisition function or panel computer, and personal authentication apparatus 1 must comprise the collecting unit that can gather " biological characteristic that user has " this certification factor.Certificate server 2 is held by service side (authentication authorization and accounting side) and is used, and general employing has the hardware server of communication function and enough computing capabilitys and storage capacity and supporting software.The management and service that personal authentication apparatus management server 3 will provide personal authentication apparatus 1, but the confidential information not relating to the service of all service providers and user completely, personal authentication apparatus management server 3 will only provide initial help.
User's (certified main body) uses personal authentication apparatus 1 to carry out the certification of three factor unifications, not only convenient but also complete.Complete independently three is demonstrate,proved the certification of unification by certificate server 2.Even if the information leakage of worst case occurs certificate server 2, the register information flow of user is spread out of, other people also extremely can not occur and to assume another's name the situation of user.
The basic ideas of technical solution of the present invention are: the certification based on biological characteristic is the information that user's (i.e. certified main body) submits the biological characteristic of certain people to, and such information (or information module) that then service side (authentication authorization and accounting side) was stored in the past by comparison reaches certification.This specific information based on biological characteristic, such as vocal print, fingerprint, eyeprint, vein pattern, face line, etc., possess some advantages, such as, be difficult to forge, be difficult to deny.But also possesses a lot of shortcoming simultaneously.The present invention is using the authentication content RD of the various biological characteristics of user as correspondence, and authentication content RD answers content information RC and biological information RB, the factor that content information RC may be used for " what is known ".Thing characteristic information R may be used for " biological characteristic " factor, and the acquisition mode of the authentication content RD corresponding to various biological characteristics of user is as follows:
Vocal print: adopt phonetic entry, uses microphone collection usually; Be naturally mixing of content information RC and biological information RB, such as phonetic entry " 35 ", then content information RC is exactly 35, and biological information RB is the vocal print feature of user.
Fingerprint and palmmprint: contact input, adopt contact collector usually; Only can contain very small amount of content information RC, the forefinger of the such as right hand is as content information RC, and most of information is biological information RB(and fingerprint or palmmprint).
Eyeprint, face line and vein pattern: optics inputs, and usually adopts optical collector; Completely not containing content information RC, only there are biological information RB(and eyeprint etc.).
Behavioural characteristic (gesture, person's handwriting, typewriting vestige): usually adopt and calculate input equipment, as keyboard, the collections such as screen; Authentication content RD is naturally mixing of content information RC and biological information RB, but biological information RB content is far fewer than vocal print, such as input through keyboard " abcde ", content information RC is exactly abcde, and the biological information RB input vestige that to be user input (namely to some statistics invariants of the input through keyboard of user), the amount of information of this feature is all little usually.
Content information RC and the biological information RB of above-mentioned various biological characteristic have its purposes.If Information Monitoring comprises two kinds of information simultaneously, just better.Therefore, vocal print and behavioural characteristic will have unique advantage.And this collector of two kinds is all quite cheap, and cost is very low.
From the input information of physical characteristics collecting, extract content information RC and biological information RB is very special technology, and this technology is not in the innovation and protection range of this patent.But we are ready to point out, although this special technology is quite highly difficult science and technology, recently the several years, there is good progress.Therefore we can think, content information RC and biological information RB can be extracted from the authentication content RD that the biological characteristic of Gather and input is corresponding, this technology is regarded as prior art and is not described in detail and launches, but its concrete scheme does not affect enforcement of the present invention.
Those skilled in the art it is to be appreciated that, the authentication content RD that the biological characteristic that user is collected by personal authentication apparatus 1 is corresponding is divided into content information RC and biological information RB after extracting, described content information RC and biological information RB can send certificate server 2 to, these information both can be directly delivered, and also the average information become corresponding to content information RC and biological information RB can transmit after a few layer functions calculates.
In the present invention, the collection for biological characteristic can repeatedly carry out the set and the application that form biological characteristic.The data message of collector collection is can be used for be collecting sample information, all can be called for the Information Monitoring adopted and gather set, symbol be CJ register and the data message of certification as the element of CJ, but, whole CJ may not be used, and be only a proper subclass of CJ, this set is called enrolled set, symbol is ZJ, and be the subset (may be proper subclass) of CJ, example is as follows:
Example 1:CJ is the fingerprint of user's all fingers, and ZJ=CJ, collecting sample is exactly the fingerprint of certain finger.
Example 2:CJ is voice set 0-99, and ZJ={10,20,30,40,50,60,70,80,90}, collecting sample is exactly the data of certain regulation voice.
Example 3:CJ is 5 alphabetical whole set, ZJ=CJ, and collecting sample is by the alphabetical character string of input through keyboard certain 5, such as abcde, ijkom etc.
The present invention can be implemented and be possessed the principle making authentication possess higher fail safe and ease for use:
Principle 1: biological information should directly not use.If directly used, particularly directly use in remote authentication, just characteristic information must be directly used in Internet Transmission, this has just manufactured sizable potential safety hazard.If occur leaking in transmitting procedure, in later use procedure, just more dangerous, because usually express quite high safe confidence to biological characteristic, will more difficultly pinpoint the problems.And usual biological characteristic fewer (such as everyone only can use with ten fingerprints), once leaking appears in characteristic information, be just not so good as the easy amendments such as password and correct.Therefore directly use the potential safety hazard of biological characteristic too many.Best mode is used in combination with other modes, such as used in combination with the symmetry secret (being called SK) in hand-held authenticating device.Like this, just can ensure the disposable code of only use in transmitting procedure, and be random code.And the information that registration uses is only that certain of biological characteristic represents, even if leak out completely in the worst cases, also extremely can not there are other people and to assume another's name the situation of user.Meanwhile, because the biological information of registration is not direct biological information, but certain represents, and this expression can not directly use, and the biological information of the height secret of user is just adequately protected.
Principle 2: leading certification should be carried out by certification main body, the use of leading biological characteristic, and be not only the passive biological information accepting static state of certification main body.Such certification main body just possesses multiple means and deals with various potential attack.
Technical scheme of the present invention is based on above-mentioned two principles, and in conjunction with personal authentication's (registration) equipment 1, thus form certification (registration) system, and coordinate with certification (registration) method of coupling, thus tight security and ease for use can be accomplished in authentication.
For the ease of those skilled in the art understanding and implement the present patent application, below in conjunction with accompanying drawing and specific embodiment, the present invention is described further.
Embodiment 1: the biological characteristic that the present embodiment adopts is vocal print, corresponding to the program, includes following technical scheme.
The scheme 1 of embodiment 1: a kind of identity registration method, as shown in Figure 3, symmetry machine confidential information SK is arranged, the set of the authentication content RD of content information RC and biological information RB between the personal authentication apparatus that the certificate server held at authenticating party in advance and user hold; Personal authentication apparatus in the present embodiment is smart mobile phone, and the software on smart mobile phone, and smart mobile phone possesses microphone and network function, and certificate server comprises hardware server and corresponding software.The process of arranging symmetry machine confidential information SK between certificate server and personal authentication apparatus is prior art, therefore how to generate and stores symmetric cryptography, not in detailed description.
Described identity registration method comprises the steps:
S1. certificate server sends instruction to personal authentication apparatus (smart mobile phone) and provides corresponding disposable information T, described disposable information T comprises the information of selected authentication content RD type, and personal authentication apparatus points out user's input authentication content RD after receiving instruction;
Concrete measure is: require that user reads in numeral 1234.
S2. user is according to prompting input authentication content RD, and personal authentication apparatus obtains the authentication content RD of input and is content information RC and biological information RB by authentication content RD resolution process;
Concrete measure is: user as requested, input numeral 1234 is read in the microphone of mobile phone, after microphone collects speech input information, voice messaging is sent into the processor of smart mobile phone, processor this information of software process, and obtain content information (i.e. numeral 1234), and the sound characteristic information of user, sound characteristic information comprises the biological informations such as fundamental tone, these information are the physiological characteristics based on individual, different people will have different information, and these information is difficult to forge (for convenience, we can claim content information to be RC, and biological information RB),
S3. personal authentication apparatus (processor of smart mobile phone) adopts the first algorithm preset that described biological information RB, symmetry machine confidential information SK, disposable information T are carried out to calculating and produce first information B;
Above-mentioned first information B is the information directly related with biological information RB.
The requirement of a kind of specific algorithm of the first algorithm in this step is, even if when SK and T is known, can not go out RB from B backstepping, and algorithm can change arbitrarily meeting under above-mentioned condition.Such as a kind of specific algorithm producing B from SK, T, RB, is expressed as
first information B is the biological information registered in server, here
represent hybrid algorithm, an example of hybrid algorithm can be the general designation of the class authentication method that hash algorithm is combined with message authentication code calculation usually with HMAC_h, HMAC_h.HMAC is the abbreviation of Hash Message authentication code, be meant to irreversible message authentication code, h represents the hash algorithm selected here, and hash algorithm is the general designation of the unidirectional non-reversible algorithm of a class, domesticly usually to be called: hash algorithm, hashing algorithm etc.; .But for will not be this in transmitting procedure, but TB=(SK, T)
b, wherein
represent cryptographic algorithm, such as (Advanced Encryption Standard (AdvancedEncryption Standard, AES) in cryptography, also known as Rijndael enciphered method, is a kind of block encryption standard that Federal Government adopts to AES encryption algorithm.), or the close algorithm of state etc.Like this at server, B can be calculated from TB, then for registration.
S4. personal authentication apparatus adopts the second algorithm preset to carry out calculating generation second information C to described content information RC, symmetry machine confidential information SK, disposable information T;
Above-mentioned second information C is the information directly related with content information RC.
The requirement of a kind of specific algorithm of the second algorithm in this step is, even if when SK and T is known, can not go out RC from C backstepping, and algorithm can change arbitrarily meeting under above-mentioned condition.
S5. personal authentication apparatus adopts the 3rd algorithm preset to calculate the 3rd information M to described first information B and the second information C;
The requirement of a kind of specific algorithm of the second algorithm in this step is, M=B+C, or M=B+C+TC, TC are the encryptions of T, and algorithm can change arbitrarily.
Concrete measure corresponding to above-mentioned steps S3, S4 and S5 is: processor uses information SK further, and T, RC, RB process further, obtains information M.Concrete algorithm is as follows:
A. this is a kind of hybrid algorithm of mixed information general in the world to use algorithm Hmac_sha(), hmac is done to SK, RB and calculates, obtain information BRg, and then use T to be that double secret key BRg encrypts with algorithm AES, acquisition information B;
B. use algorithm Hmac_sha to be hmac to SK, RC and T to calculate, obtain information C;
C. link information B and information C and obtain information M;
Those skilled in the art it is to be appreciated that, although this gives the specific algorithm Hmac_sha of calculating the 3rd information M, but do not think that above-mentioned steps can only adopt this specific algorithm, other can apply any existing algorithm that data are encrypted in above-mentioned steps.
S6. the 3rd information M is sent to certificate server by personal authentication apparatus, and described certificate server carries out inverse operation according to the 3rd algorithm preset and the 3rd information M decomposition computation is obtained first information B and the second information C;
Concrete measure is: smart mobile phone sends certificate server back to the 3rd information M, and the channel transmitting information can be the channel of encryption, and we are recommendation encryption channel also, but, even open channel, also can not damage verification process; In this step, if use transmission security key e, eM=M e encrypts, and for transmission, further can strengthen the fail safe in transmitting procedure.At certificate server end, recover M from eM, obtain B from M, C(or possible TC).
Second average information CRg corresponding to the first average information BRg that S7. first information B that decomposition computation obtained of certificate server or the second information C or first information B is corresponding or the second information C as the log-on data W of user, and is stored in the database of certificate server.
Concrete measure corresponding to above-mentioned steps S6 and S7 is: mobile phone sends server back to information M, and server by utilizing M does following calculating, first decomposes B and C, utilizes C to do preliminary identification; Then decipher (T is key) with algorithm AES to B and obtain BRg, BRg will be stored in the database of server, as the main log-on data of this user.
The scheme 2 of embodiment 1: a kind of identity registration system, as shown in Figure 2, it is characterized in that, comprise the personal authentication apparatus that user holds, the certificate server that authenticating party is held, there is the symmetry machine confidential information SK made an appointment, the set of the authentication content RD of content information RC and biological information RB between personal authentication apparatus and certificate server;
Personal authentication apparatus in the present embodiment in the present embodiment is smart mobile phone, and the software on smart mobile phone, and smart mobile phone possesses microphone and network function, and certificate server comprises hardware server and corresponding software.
Described personal authentication apparatus at least comprises as lower unit:
Collecting unit, for gathering the authentication content RD of user's input;
In the present embodiment, in the present embodiment, authentication content RD is " user reads in numeral 1234 ", and the numeral " 1234 " of refining from authentication content RD is content information RC, and the vocal print refined from authentication content RD is biological information RB;
Processing unit, for being content information RC and biological information RB by authentication content RD resolution process, carrying out calculating for adopting the first default algorithm produce first information B to described biological information RB, symmetry machine confidential information SK, disposable information T; For adopting the second default algorithm to carry out calculating generation second information C to described content information RC, symmetry machine confidential information SK, disposable information T, for adopting the 3rd default algorithm, the 3rd information M is calculated to described first information B and the second information C;
Communication unit, for realizing the data communication between personal authentication apparatus and certificate server, send instruction to personal authentication apparatus for receiving certificate server and corresponding disposable information T is provided, for personal authentication apparatus, the 3rd information M being sent to certificate server;
Memory cell, for storing the data message obtained from the collecting unit stating personal authentication apparatus, processing unit and communication unit;
Described certificate server at least comprises as lower unit:
Communication unit, for realizing the data communication between personal authentication apparatus and certificate server, sending instruction for certificate server to personal authentication apparatus and corresponding disposable information T is provided, being sent to the 3rd information M of certificate server for receiving personal authentication apparatus;
Processing unit, obtains first information B and the second information C for carrying out inverse operation according to the 3rd algorithm preset by the 3rd information M decomposition computation; The second average information CRg that the first average information BRg that the first information B obtained for decomposition computation or the second information C or first information B is corresponding or the second information C is corresponding, and aforementioned information is stored in the database of certificate server, as the log-on data W of user;
Memory cell, for storing the data message obtained from communication unit and the processing unit of certificate server.
The scheme 3 of embodiment 1: a kind of identity identifying method, as shown in Figure 4, symmetry machine confidential information SK is arranged, the set of the authentication content RD of content information RC and biological information RB between the personal authentication apparatus that the certificate server held at authenticating party in advance and user hold;
Described identity identifying method comprises the steps:
S1. certificate server sends instruction to personal authentication apparatus and provides corresponding disposable information T, described disposable information T comprises the information of selected authentication content RD type, and personal authentication apparatus points out user's input authentication content RD after receiving instruction;
Concrete measure is: server sends instruction to smart mobile phone, smart mobile phone shows the content requiring user to input, such as, require that user reads in numeral 1234, simultaneously, server sends a disposal password (for convenience, being called T) to smart mobile phone;
S2. user is according to prompting input authentication content RD, and personal authentication apparatus obtains the authentication content RD of input and is content information RC and biological information RB by authentication content RD resolution process;
Concrete measure is: user as requested, reads in input numeral 1234 to the microphone of mobile phone;
S3. personal authentication apparatus adopts the first algorithm preset that described biological information RB, symmetry machine confidential information SK, disposable information T are carried out to calculating and produce first information B;
S4. personal authentication apparatus adopts the second algorithm preset to carry out calculating generation second information C to described content information RC, symmetry machine confidential information SK, disposable information T;
S5. personal authentication apparatus adopts the 3rd algorithm preset to calculate the 3rd information M to described first information B and the second information C;
Concrete measure corresponding to above-mentioned steps S3, S4 and S5 is: processor uses information SK further, and T, RC, RB process further, obtains information M.Concrete algorithm is as follows:
A. this is a kind of hybrid algorithm of mixed information general in the world to use algorithm Hmac_sha(), hmac is done to SK, RB and calculates, obtain information BRg, and then use T to be that double secret key BRg encrypts with algorithm AES, acquisition information B;
B. use algorithm Hmac_sha to be hmac to SK, RC and T to calculate, obtain information C;
C. link information B and information C and obtain information M;
S6. the 3rd information M is sent to certificate server by personal authentication apparatus, and described certificate server carries out inverse operation according to the 3rd algorithm preset and the 3rd information M decomposition computation is obtained first information B and the second information C;
Second average information CRg corresponding to the first average information BRg that S7. first information B that decomposition computation obtained of certificate server or the second information C or first information B is corresponding or the second information C is as certification log-on data W1;
S8. certificate server by the certification log-on data W1 obtained in step S7 with to precalculate and the log-on data W be stored on certificate server compares, if certification log-on data W1 is consistent with log-on data W, then the authentication of user is passed through, otherwise the authentication of user failure.
Concrete measure corresponding to above-mentioned steps S6, S7 and S8 is: mobile phone sends server back to information M, the channel of transmission information can be the channel of encryption, and we are recommendation encryption channel also, but, even open channel, also can not damage verification process; It is exactly SK and T that server possesses the information that enough information calculates alone C and B(in addition and need, and RC, BRg), then do contrast coupling by the information that the information that calculates like this and mobile phone send, therefore server can be verified M.
The scheme 4 of embodiment 1: a kind of identity authorization system, it is characterized in that, as shown in Figure 2, comprise the personal authentication apparatus that user holds, the certificate server that authenticating party is held, there is the symmetry machine confidential information SK made an appointment, the set of the authentication content RD of content information RC and biological information RB between personal authentication apparatus and certificate server;
Personal authentication apparatus in the present embodiment in the present embodiment is smart mobile phone, and the software on smart mobile phone, and smart mobile phone possesses microphone and network function, and certificate server comprises hardware server and corresponding software.
Described personal authentication apparatus at least comprises as lower unit:
Collecting unit, for gathering the authentication content RD of user's input;
In the present embodiment, in the present embodiment, authentication content RD is " user reads in numeral 1234 ", and the numeral " 1234 " of refining from authentication content RD is content information RC, and the vocal print refined from authentication content RD is biological information RB;
Processing unit, for being content information RC and biological information RB by authentication content RD resolution process, carrying out calculating for adopting the first default algorithm produce first information B to described biological information RB, symmetry machine confidential information SK, disposable information T; For adopting the second default algorithm to carry out calculating generation second information C to described content information RC, symmetry machine confidential information SK, disposable information T, for adopting the 3rd default algorithm, the 3rd information M is calculated to described first information B and the second information C;
Communication unit, for realizing the data communication between personal authentication apparatus and certificate server, send instruction to personal authentication apparatus for receiving certificate server and corresponding disposable information T is provided, for personal authentication apparatus, the 3rd information M being sent to certificate server;
Memory cell, for storing the data message obtained from the collecting unit stating personal authentication apparatus, processing unit and communication unit;
Described certificate server at least comprises as lower unit:
Communication unit, for realizing the data communication between personal authentication apparatus and certificate server, sending instruction for certificate server to personal authentication apparatus and corresponding disposable information T is provided, being sent to the 3rd information M of certificate server for receiving personal authentication apparatus;
Processing unit, obtains first information B and the second information C for carrying out inverse operation according to the 3rd algorithm preset by the 3rd information M decomposition computation; The second average information CRg that the first average information BRg that the first information B obtained for decomposition computation or the second information C or first information B is corresponding or the second information C is corresponding, and aforementioned information is stored in the database of certificate server, as the log-on data W1 of user; For certificate server by certification log-on data W1 with to precalculate and the log-on data W be stored on certificate server compares, if certification log-on data W1 is consistent with log-on data W, then the authentication of user is passed through, otherwise the authentication of user is unsuccessfully;
Memory cell, for storing the data message obtained from communication unit and the processing unit of certificate server.
The scheme 5 of embodiment 1: a kind of personal authentication apparatus, for comprising the personal authentication apparatus that user holds, the certificate server that authenticating party is held, there is the symmetry machine confidential information SK made an appointment, in the identity registration system of the set of the authentication content RD of content information RC and biological information RB or identity authorization system between personal authentication apparatus and certificate server; It is characterized in that,
Described personal authentication apparatus at least comprises as lower unit:
Collecting unit, for gathering the authentication content RD of user's input;
In the present embodiment, in the present embodiment, authentication content RD is " user reads in numeral 1234 ", and the numeral " 1234 " of refining from authentication content RD is content information RC, and the vocal print refined from authentication content RD is biological information RB;
Processing unit, for being content information RC and biological information RB by authentication content RD resolution process, carrying out calculating for adopting the first default algorithm produce first information B to described biological information RB, symmetry machine confidential information SK, disposable information T; For adopting the second default algorithm to carry out calculating generation second information C to described content information RC, symmetry machine confidential information SK, disposable information T, for adopting the 3rd default algorithm, the 3rd information M is calculated to described first information B and the second information C;
Communication unit, for realizing the data communication between personal authentication apparatus and certificate server, send instruction to personal authentication apparatus for receiving certificate server and corresponding disposable information T is provided, for personal authentication apparatus, the 3rd information M being sent to certificate server;
Memory cell, for storing the data message obtained from the collecting unit stating personal authentication apparatus, processing unit and communication unit.
The scheme 6 of embodiment 1: a kind of certificate server, for comprising the personal authentication apparatus that user holds, the certificate server that authenticating party is held, there is the symmetry machine confidential information SK made an appointment, in the identity registration system of the set of the authentication content RD of content information RC and biological information RB between personal authentication apparatus and certificate server;
In the present embodiment, in the present embodiment, authentication content RD is " user reads in numeral 1234 ", and the numeral " 1234 " of refining from authentication content RD is content information RC, and the vocal print refined from authentication content RD is biological information RB;
It is characterized in that, described certificate server at least comprises as lower unit:
Communication unit, for realizing the data communication between personal authentication apparatus and certificate server, sending instruction for certificate server to personal authentication apparatus and corresponding disposable information T is provided, being sent to the 3rd information M of certificate server for receiving personal authentication apparatus;
Processing unit, obtains first information B and the second information C for carrying out inverse operation according to the 3rd algorithm preset by the 3rd information M decomposition computation; The second average information CRg that the first average information BRg that the first information B obtained for decomposition computation or the second information C or first information B is corresponding or the second information C is corresponding, and aforementioned information is stored in the database of certificate server, as the log-on data W of user;
Memory cell, for storing the data message obtained from communication unit and the processing unit of certificate server.
The scheme 7 of embodiment 1: a kind of certificate server, for comprising the personal authentication apparatus that user holds, the certificate server that authenticating party is held, there is the symmetry machine confidential information SK made an appointment, in the identity authorization system of the set of the authentication content RD of content information RC and biological information RB between personal authentication apparatus and certificate server;
In the present embodiment, in the present embodiment, authentication content RD is " user reads in numeral 1234 ", and the numeral " 1234 " of refining from authentication content RD is content information RC, and the vocal print refined from authentication content RD is biological information RB;
It is characterized in that, described certificate server at least comprises as lower unit:
Communication unit, for realizing the data communication between personal authentication apparatus and certificate server, sending instruction for certificate server to personal authentication apparatus and corresponding disposable information T is provided, being sent to the 3rd information M of certificate server for receiving personal authentication apparatus;
Processing unit, obtains first information B and the second information C for carrying out inverse operation according to the 3rd algorithm preset by the 3rd information M decomposition computation; The second average information CRg that the first average information BRg that the first information B obtained for decomposition computation or the second information C or first information B is corresponding or the second information C is corresponding, and aforementioned information is stored in the database of certificate server, as the log-on data W1 of user; For certificate server by certification log-on data W1 with to precalculate and the log-on data W be stored on certificate server compares, if certification log-on data W1 is consistent with log-on data W, then the authentication of user is passed through, otherwise the authentication of user is unsuccessfully;
Memory cell, for storing the data message obtained from communication unit and the processing unit of certificate server.
Embodiment 2: the present embodiment based on hardware system identical with embodiment 1, no longer repeated description.
The biological characteristic of the authentication content RD that the present embodiment adopts is behavioural characteristic (gesture), the circle of a regulation is drawn specifically with thumb and forefinger, smart mobile phone will collect input information (authentication authorization and accounting content RD), authentication content RD can resolve into two kinds, one is content information RC, the i.e. position etc. of this circle, a kind of is individual behavior characteristic information (i.e. biological information RB), the i.e. information such as speed and statistical relationship of gesture, the input of processor to gesture by smart mobile phone processes and obtains by these information, these information are based on the physiological characteristic of individual and habitual feature, different people will have different information, and these information is difficult to forge.
Because the hardware system in the present embodiment is identical with embodiment 1, just authentication content RD difference to some extent, its processing procedure is identical with embodiment 1 with technical scheme, therefore no longer repeated description based on 7 concrete technical schemes such as identity registration and authentication method, system, personal authentication apparatus and certificate server of this different authentication content.
Embodiment 3: the present embodiment based on hardware system identical with embodiment 1, no longer repeated description.
The biological characteristic of the authentication content RD that the present embodiment adopts is fingerprint, and authentication content RD is still divided into content information RC and biological information RB, and content information i.e. certain fingerprint, such as left index finger, and in the present embodiment, content information is fewer, only has 10; Biological information RB is fingerprint, and finger print information is the physiological characteristic based on individual, and different people will have different information, and these information is difficult to forge.
Because the hardware system in the present embodiment is identical with embodiment 1, just authentication content RD difference to some extent, its processing procedure is identical with embodiment 1 with technical scheme, therefore no longer repeated description based on 7 concrete technical schemes such as identity registration and authentication method, system, personal authentication apparatus and certificate server of this different authentication content.
Embodiment 4: the present embodiment based on hardware system comprise the certificate server that authenticating party holds, the personal authentication apparatus that user holds, personal authentication apparatus contains hardware identification device and independently possesses the browser device of network function, in the present embodiment, with the difference of embodiment 1, hardware system can be that in embodiment 1, hardware identification device and browser device being integrated into a hardware device is personal authentication apparatus, in embodiment 4, personal authentication apparatus is then separated into two relatively independent hardware devices and is hardware identification device and independently possesses the browser device of network function, hardware identification device in embodiment 4 is the hardware identification device (or being called token etc.) of particular design and the software installed above, networking in verification process confirms to be communicated by a browser device intermediary, described browser device be browser software is installed the hardware platform with network function as computer, mobile phone etc.
For the ease of those skilled in the art understanding and implement the present patent application, below in conjunction with accompanying drawing and specific embodiment, the present invention is described further.
The scheme 1 of embodiment 4: a kind of identity registration method, it is characterized in that, symmetry machine confidential information SK is arranged, the set of the authentication content RD of content information RC and biological information RB between the personal authentication apparatus that the certificate server held at authenticating party in advance and user hold;
Described identity registration method comprises the steps:
S1. certificate server sends instruction to personal authentication apparatus and provides corresponding disposable information T, described disposable information T comprises the information of selected authentication content RD type, and personal authentication apparatus points out user's input authentication content RD after receiving instruction;
The biological characteristic of the authentication content RD that the present embodiment adopts is fingerprint, and authentication content RD is still divided into content information RC and biological information RB, and content information i.e. certain fingerprint, such as left index finger, and in the present embodiment, content information is fewer, only has 10; Biological information RB is fingerprint, and finger print information is the physiological characteristic based on individual, and different people will have different information, and these information is difficult to forge.
S2. user is according to prompting input authentication content RD, and personal authentication apparatus obtains the authentication content RD of input and is content information RC and biological information RB by authentication content RD resolution process;
S3. personal authentication apparatus adopts the first algorithm preset that described biological information RB, symmetry machine confidential information SK, disposable information T are carried out to calculating and produce first information B;
S4. personal authentication apparatus adopts the second algorithm preset to carry out calculating generation second information C to described content information RC, symmetry machine confidential information SK, disposable information T;
S5. personal authentication apparatus adopts the 3rd algorithm preset to calculate the 3rd information M to described first information B and the second information C;
In the present embodiment, the concrete measure of step S4 and S5 is: the hardware identification device in personal authentication apparatus processes further to information SK, RC, RB further, obtains information M.
Concrete algorithm is as follows:
Use hmac_sha algorithm, hmac is done to SK, RB and calculates, obtain information BRg;
Use hmac_sha algorithm, hmac is done to SK, RC and calculates, obtain information C;
Link information BRg and information C and obtain information M1;
Hardware identification device is presented at information M1 in its display unit, and user inputs browser device information M1, and then browser device does following calculating to information:
Decompose M1, obtain BRg and C;
Then use T to be key, to BRg encryption, obtain information KBRg;
Link information KBRg and information C and obtain information M;
S6. the 3rd information M is sent to certificate server by personal authentication apparatus, and described certificate server carries out inverse operation according to the 3rd algorithm preset and the 3rd information M decomposition computation is obtained first information B and the second information C;
Second average information CRg corresponding to the first average information BRg that S7. first information B that decomposition computation obtained of certificate server or the second information C or first information B is corresponding or the second information C as the log-on data W of user, and is stored in the database of certificate server.
In the present embodiment, the concrete measure of step S6 and S7 is: the 3rd information M is sent to certificate server by the browser device in personal authentication apparatus, and certificate server utilizes M to do following calculating, first obtains KBRg and C, utilizes C to do preliminary identification; Then decipher (T is key) with algorithm AES to KBRg and obtain BRg, BRg will be stored in the database of server, as the main log-on data of this user.
The scheme 2 of embodiment 4: a kind of identity identifying method, it is characterized in that, symmetry machine confidential information SK is arranged, the set of the authentication content RD of content information RC and biological information RB between the personal authentication apparatus that the certificate server held at authenticating party in advance and user hold;
Described identity identifying method comprises the steps:
S1. certificate server sends instruction to personal authentication apparatus and provides corresponding disposable information T, and described disposable information T comprises the information of selected authentication content RD type, and personal authentication apparatus points out user's input authentication content RD after receiving instruction;
The biological characteristic of the authentication content RD that the present embodiment adopts is fingerprint, and authentication content RD is still divided into content information RC and biological information RB, and content information i.e. certain fingerprint, such as left index finger, and in the present embodiment, content information is fewer, only has 10; Biological information RB is fingerprint, and finger print information is the physiological characteristic based on individual, and different people will have different information, and these information is difficult to forge.
S2. user is according to prompting input authentication content RD, and personal authentication apparatus obtains the authentication content RD of input and is content information RC and biological information RB by authentication content RD resolution process;
S3. personal authentication apparatus adopts the first algorithm preset that described biological information RB, symmetry machine confidential information SK, disposable information T are carried out to calculating and produce first information B;
S4. personal authentication apparatus adopts the second algorithm preset to carry out calculating generation second information C to described content information RC, symmetry machine confidential information SK, disposable information T;
S5. personal authentication apparatus adopts the 3rd algorithm preset to calculate the 3rd information M to described first information B and the second information C;
In the present embodiment, the concrete measure of step S4 and S5 is: the hardware identification device in personal authentication apparatus processes further to information SK, RC, RB further, obtains information M.
Concrete algorithm is as follows:
Use hmac_sha algorithm, hmac is done to SK, RB and calculates, obtain information BRg;
Use hmac_sha algorithm, hmac is done to SK, RC and calculates, obtain information C;
Link information BRg and information C and obtain information M1;
Hardware identification device is presented at information M1 in its display unit, and user inputs browser device information M1, and then browser device does following calculating to information:
Decompose M1, obtain BRg and C;
Then use T to be key, to BRg encryption, obtain information KBRg;
Link information KBRg and information C and obtain information M;
S6. the 3rd information M is sent to certificate server by personal authentication apparatus, and described certificate server carries out inverse operation according to the 3rd algorithm preset and the 3rd information M decomposition computation is obtained first information B and the second information C;
Second average information CRg corresponding to the first average information BRg that S7. first information B that decomposition computation obtained of certificate server or the second information C or first information B is corresponding or the second information C is as certification log-on data W1;
S8. certificate server by the certification log-on data W1 obtained in step S7 with to precalculate and the log-on data W be stored on certificate server compares, if certification log-on data W1 is consistent with log-on data W, then the authentication of user is passed through, otherwise the authentication of user failure.
In the present embodiment, the concrete measure of step S6, S7 and S8 is: the 3rd information M is sent to certificate server by the browser device in personal authentication apparatus, and certificate server utilizes M to do following calculating, first obtains KBRg and C, utilizes C to do preliminary identification; Then with algorithm AES, (T is key) is deciphered to KBRg and obtain BRg, the BRg of acquisition is kept in as certification log-on data W1, then certification log-on data W1 and the log-on data W be stored in advance in certificate server are done to contrast and mate, thus realize the authentication to user.
Because the hardware system in embodiment 4 only exists difference with embodiment 1 in the specific implementation of personal authentication apparatus, authentication content RD is identical with embodiment 3, therefore no longer repeated description based on the identity registration of this different authentication content and a concrete technical scheme such as Verification System, personal authentication apparatus and certificate server.
In numerous technical schemes in multiple embodiments of the present patent application, three kinds of factors are all fully used, indispensable.During the course, what user knows, what user has, and the biological characteristic of user, all correctly must possess simultaneously, correctly use, otherwise cannot pass through certification.The information M of noticing is disposable, even if be acquired, and also can not the reverse biological information obtaining user.Meanwhile, certificate server (authentication authorization and accounting main body) can dominate whole verification process completely, and is not only and does certification by the biological information of static state (this information is always under the shade that may be forged).
Further, because biological characteristic may must be produced by this talent of user, even if under the worst case all revealed at whole log-on messages of server, this characteristic also makes assailant can not to assume another's name user, therefore the damage control minimum.This character is current almost so system and method all can not solve.Adopt our systems approach, just can reach this target.
System due to us adopts personal authentication apparatus very easily, and in the simple use procedure of user, made three kinds of factor unifications use, and user again need not remember various bothersome password, and password etc., comfort level greatly improves.Our system makes a user only need an authenticator, and just can do binding service with any service provider, significant cost declines.Safe condition high like this, so easily user's experience, the system of such low cost and low use cost are all that current system and method is inaccessiable, are also that market is actively being sought.
Those of ordinary skill in the art will appreciate that, embodiment described here is to help reader understanding's principle of the present invention, should be understood to that protection scope of the present invention is not limited to so special statement and embodiment.Those of ordinary skill in the art can make various other various concrete distortion and combination of not departing from essence of the present invention according to these technology enlightenment disclosed by the invention, and these distortion and combination are still in protection scope of the present invention.
Claims (4)
1. an identity authorization system, it is characterized in that, comprise the personal authentication apparatus that user holds, the certificate server that authenticating party is held, there is the symmetry machine confidential information SK made an appointment, the set of the authentication content RD of content information RC and biological information RB between personal authentication apparatus and certificate server;
Described personal authentication apparatus at least comprises as lower unit:
Collecting unit, for gathering the authentication content RD of user's input;
Processing unit, for being content information RC and biological information RB by authentication content RD resolution process, carrying out calculating for adopting the first default algorithm produce first information B to described biological information RB, symmetry machine confidential information SK, disposable information T; For adopting the second default algorithm to carry out calculating generation second information C to described content information RC, symmetry machine confidential information SK, disposable information T, for adopting the 3rd default algorithm, the 3rd information M is calculated to described first information B and the second information C; Described disposable information T comprises the information of selected authentication content RD type;
Communication unit, for realizing the data communication between personal authentication apparatus and certificate server, send instruction to personal authentication apparatus for receiving certificate server and corresponding disposable information T is provided, for personal authentication apparatus, the 3rd information M being sent to certificate server;
Memory cell, for storing the data message obtained from the collecting unit stating personal authentication apparatus, processing unit and communication unit;
Described certificate server at least comprises as lower unit:
Communication unit, for realizing the data communication between personal authentication apparatus and certificate server, sending instruction for certificate server to personal authentication apparatus and corresponding disposable information T is provided, being sent to the 3rd information M of certificate server for receiving personal authentication apparatus;
Processing unit, obtains first information B and the second information C for carrying out inverse operation according to the 3rd algorithm preset by the 3rd information M decomposition computation; The second average information CRg that the first average information BRg that the first information B obtained for decomposition computation or the second information C or first information B is corresponding or the second information C is corresponding, and aforementioned information is stored in the database of certificate server, as the log-on data W1 of user; For certificate server by certification log-on data W1 with to precalculate and the log-on data W be stored on certificate server compares, if certification log-on data W1 is consistent with log-on data W, then the authentication of user is passed through, otherwise the authentication of user is unsuccessfully;
Memory cell, for storing the data message obtained from communication unit and the processing unit of certificate server;
Collecting unit, the communication unit of above-mentioned personal authentication apparatus are connected with processing unit respectively with memory cell, the communication unit of above-mentioned certificate server is connected with processing unit respectively with memory cell, and above-mentioned personal authentication apparatus is connected communication with certificate server by respective communication unit.
2. a kind of identity authorization system according to claim 1, is characterized in that, above-mentioned personal authentication apparatus is smart mobile phone.
3. a kind of identity authorization system according to claim 1, is characterized in that, above-mentioned personal authentication apparatus contains hardware identification device and independently possesses the browser device of network function.
4. a kind of identity authorization system according to claim 3, is characterized in that, described browser device is the hardware platform with network function being provided with browser software is computer or mobile phone.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310178207.3A CN103297238B (en) | 2013-05-14 | 2013-05-14 | Identity authorization system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310178207.3A CN103297238B (en) | 2013-05-14 | 2013-05-14 | Identity authorization system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103297238A CN103297238A (en) | 2013-09-11 |
| CN103297238B true CN103297238B (en) | 2015-10-28 |
Family
ID=49097595
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310178207.3A Active CN103297238B (en) | 2013-05-14 | 2013-05-14 | Identity authorization system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103297238B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104462908B (en) * | 2013-09-12 | 2018-01-19 | 中国电信股份有限公司 | A kind of method and system of touch-screen finger writing signature |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1085424A1 (en) * | 1998-05-21 | 2001-03-21 | Yutaka Yasukura | Authentication card system |
| CN102004872A (en) * | 2010-10-27 | 2011-04-06 | 杨莹 | Fingerprint encryption-based identity authentication system and implementation method thereof |
| CN102223233A (en) * | 2011-06-15 | 2011-10-19 | 刘洪利 | Biological code authentication system and biological code authentication method |
-
2013
- 2013-05-14 CN CN201310178207.3A patent/CN103297238B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1085424A1 (en) * | 1998-05-21 | 2001-03-21 | Yutaka Yasukura | Authentication card system |
| CN102004872A (en) * | 2010-10-27 | 2011-04-06 | 杨莹 | Fingerprint encryption-based identity authentication system and implementation method thereof |
| CN102223233A (en) * | 2011-06-15 | 2011-10-19 | 刘洪利 | Biological code authentication system and biological code authentication method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103297238A (en) | 2013-09-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11855983B1 (en) | Biometric electronic signature authenticated key exchange token | |
| CN1972189B (en) | Biometrics authentication system | |
| EP2648163B1 (en) | A personalized biometric identification and non-repudiation system | |
| CN101159554B (en) | Biometric authentication system, enrollment terminal, authentication terminal and authentication server | |
| CN103297237B (en) | Identity registration and authentication method, system, personal authentication apparatus and certificate server | |
| US11764971B1 (en) | Systems and methods for biometric electronic signature agreement and intention | |
| CN105491077B (en) | A kind of system of authentication | |
| WO2012042775A1 (en) | Biometric authentication system, communication terminal device, biometric authentication device, and biometric authentication method | |
| Wei et al. | An intelligent terminal based privacy-preserving multi-modal implicit authentication protocol for internet of connected vehicles | |
| CN107209821A (en) | For the method and authentication method being digitally signed to e-file | |
| EP3257194A1 (en) | Systems and methods for securely managing biometric data | |
| JP7139414B2 (en) | Authentication terminal, authentication device, and authentication method and system using the same | |
| WO2012097362A2 (en) | Protecting codes, keys and user credentials with identity and patterns | |
| JP2005010826A (en) | Authentication terminal device, biometrics information authentication system and biometrics information acquisition system | |
| CN101420301A (en) | Human face recognizing identity authentication system | |
| CN109067766A (en) | A kind of identity identifying method, server end and client | |
| EP2579221A1 (en) | Template delivery type cancelable biometric authentication system and method therefor | |
| CN109756893A (en) | A kind of intelligent perception Internet of Things anonymous authentication method based on chaotic maps | |
| CN107592308A (en) | A kind of two server multiple-factor authentication method towards mobile payment scene | |
| US11405387B1 (en) | Biometric electronic signature authenticated key exchange token | |
| JP2006155547A (en) | Individual authentication system, terminal device and server | |
| CN203243360U (en) | Identity registration system | |
| CN103297238B (en) | Identity authorization system | |
| CN103248629B (en) | Identity registration system | |
| CN103607280B (en) | Personal authentication apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |